On 02/14/2010 10:17 PM, Jafaruddin Lie wrote:
>
> We do have a CISCO ASA 5520 that the outgoing mailserver sits behind,
> and I have done the no fixup protocol on the box to no avail.
> I have also enabled ICMP from that box to our internal mail server,
> and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue
> here now.
>
It sounds as though the issue surfaced about the same time the new
security device came into play. If so, it might help to make that
absolutely clear to everyone who reads this thread. Is this the only
change in the environment? From what you've said above, it sounds like
you're on the right track. Only thing I noticed is that you mentioned
fixup (PIX) and not inspect (ASA). I don't have an ASA in front of me
ATM (and honestly, I'm not all that good with them anyway), however
something 'like' the following commands should get you to the right
place if you don't have access to ASDM (assuming you haven't changed too
much in the default configuration). There are plenty of examples all
over the net if you use the correct search terms. Obviously, you should
do a 'show run' to make sure my second assumption is correct (and that
this could even be the problem).
{{{
policy-map global_policy
class inspection_default
no inspect esmtp
}}}
Don't forget to write, else it'll be gone on reboot if it works. Sorry,
done that a couple of times myself, though I always dump my configs. A
friendly reminder never hurts either way.
BTW, here is a better example than the Cisco docs (IMO), probably should
have just linked to there in the first place instead of the above
gibberish. Oh well.
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
-- DJ Lucas
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
